Solved: How can I modify my search to display a table only...

pavanae · ‎11-08-2016

I have my search as below

index=xyz source=yhg | convert ctime(_time) as Date_and_Time|convert timeformat="%m/%d/%Y %H:%M:%S" mktime(_time) as time  |eventstats range(time) as duration by student_id| stats avg(duration) as avgDurationPer_student_id by sudent_id | eval Total_time_spent(out_of_collage)=tostring(ceil(avgDurationPer_student_id), "duration") | table student_id Total_time_spent(out_of_collage)

The above search displays the result of the total time spent on the website by each student_id as below

student_id           Total_time_spent(out_of_collage)
X123345                19:39:35
H900639             20:05:58
D900643             17:47:40
V106127                00:00:00

Now how can I modify above search and display the above table only for only top 5 student_id's instead of listing out all the student_id's based on the Total_time_spent(out_of_collage) which is hours:minutes:seconds format

niketn · ‎11-08-2016

Try sort command to arrange records in descending order of Total time spent and then use head command to get only 5

your base search | sort - Total_time_spent(out_of_collage) | head 5

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎11-08-2016

Try sort command to arrange records in descending order of Total time spent and then use head command to get only 5

your base search | sort - Total_time_spent(out_of_collage) | head 5

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How can I modify my search to display a table only for top 5 student_id's instead of listing out all the student_id's?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?